Threat actors are targeting a years-old remote code execution vulnerability in Microsoft Office in order to deliver Cobalt Strike beacons that can be used in future follow-on attacks.
The attack was first discovered in August after victims received phishing emails containing malicious document attachments. One email claimed to be collecting personally identifiable information in order to decide if the victim was eligible for employment with a U.S. federal government contractor and to determine the enrollment status in the government’s life insurance program. The attached document was purportedly a U.S. Office of Personnel Management declaration with job details. Attackers used various other lures associated with this campaign, including one related to a job description for PSA plus, a trade union in New Zealand.
Once opened, the malicious Microsoft Word attachment contained an exploit that attempted to target a remote code execution flaw in Microsoft Office (CVE-2017-0199), which was disclosed and patched five years ago. The payload at the end of the attack chain was the Cobalt Strike beacon, a modular attack framework that is configurable based on attackers’ intentions. The beacon used in this campaign gave attackers the ability to set up a command-and-control (C2) server and execute arbitrary code in the target processes through process injection. Researchers also found a "high-reputation domain" that was defined in the beacon configuration’s HostHeader component, which they believe was used as a redirector tactic, a technique previously leveraged in Cobalt Strike campaigns to make the beacon traffic appear legitimate.
“Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections,” said Chetan Raghuprasad and Vanja Svajcer, with Cisco Talos, in a Wednesday analysis. “Also, with its capabilities to configure commands in the beacon configuration, the attacker can perform various malicious operations such as injecting other malicious binary into the running processes of the infected machines and can avoid having a separate injection module implants in their infection chain.”
“The attack stands out because the infection chain abuses legitimate source code repositories such as Bitbucket or Github to host additional malicious components."
Researchers said that the threat actor in the campaign used highly modularized attack methodologies with multiple stages in the infection chain. Both methods involved the attached malicious document containing an embedded URL hosted on an attacker-controlled Bitbucket repository. In the first method, when a victim opened the document it downloaded a malicious DOTM file, which in turn executed multiple stages of malicious Visual Basic for Applications (VBA) scripts. These led to the execution of PowerShell scripts that were generated in the victim’s system memory, including an obfuscated downloader that deployed the Cobalt Strike DLL beacon. The second attack chain method was similar, except that it additionally made use of a 64-executable downloader that executed a PowerShell command to download the Cobalt Strike DLL to the “userprofile local application” temporary directory with a spoofed .png extension.
“The attack stands out because the infection chain abuses legitimate source code repositories such as Bitbucket or Github to host additional malicious components,” said Svajcer. “The attackers have created a number of new user names which are then used to deploy the remote Word document template that eventually installs the payload.”
Svajcer said that the attacks are not widespread and researchers have identified only a small number of phishing emails associated with the campaign. He said that researchers assess with low confidence (based on the content of the document lures, in the absence of additional context) that targeted users may have interest in the business of the Department of Defense or a union with a relationship to the New Zealand government.
After tracking down the attacker’s Bitbucket account in VirusTotal, researchers found that the account was also used to host two other executables in addition to the malicious DOTM template and Cobalt Strike: The Redline information stealer and Amadey botnet. Cisco Talos researchers said that organizations should implement layered defense capabilities in order to block attacker attempts in the earlier stage of the attack's infection chain.
“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory,” said Raghuprasad and Svajcer. “Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.”